On Feb 19, 2012 1:27 AM, "Michael Mol" <mike...@gmail.com> wrote: > > And every time that's successful, it's because some idiot admin wasn't filtering their incoming BGP traffic properly. Ditto the network in Florida which acted as a black hole for the entire Internet in the late 90s. > > Proper training and filtering helps prevent these kinds of issues. It's happened, sure. And it will happen again. And it will be recovered from again. Policies will be adapted, trained and forgotten, again.
Not necessarily. BGP routers at network borders are already configured to filter practically all BGP traffic that do not come from their trusted neighbors. They have to be able to respond quickly to outages, to switch to another neighbor. In both incidents in the article, the causes are the same: misconfiguration (accidental or deliberate) of the China backbone router. This misconfiguration got propagated to the neighbor router, which are explicitly configured to trust the China backbone routers. Remember that, unlike IP addresses, AS numbers are not assigned hierarchically. So, impacted routers have no way to detect if the China router is actually authorized to route for the ASes it advertised (except directly connected ASes). Rgds,
